With a wide variety of and constantly changing threats, a comprehensive, layered security approach is needed. A solution based solely on technology is not enough. An overall strategy for enterprise security needs to include not only hardware and software but appropriate policies, procedures and organizational structure to provide a sufficient level of security. The requirements are identified by a thorough assessment of security risks, says Steve Korb, senior security systems engineer with Premier Technologies.
Maintaining a security infrastructure is a continuous process. Regular assessments are useful to understand progress that has been made and to help prioritize what steps are needed to further mitigate potential threats to your business, says Korb.
Smart Business spoke with Korb about how security measures should be placed and implemented.
What are the elements of an effective security assessment?
Assessments need to be done in a methodical manner in order to produce results that are repeatable and easily compared against prior assessments. The goal of an assessment is to identify and understand corporate risks and what steps can be taken to eliminate or reduce the risks. Their impact on the organization should also be quantified. The final part of the assessment should provide potential remediation steps.
Companies should utilize such assessments to protect services, hardware and revenue. An assessment of a company’s Internet-accessible devices may reveal that a particular host is vulnerable due to a missing patch on the server. The impact depends on the services being provided by the application on the host, but problems could result in loss of revenue. In this case, the immediate remediation would be to patch the server. Long-term remediation also should be evaluated. Depending on the potential lost revenue, this could indicate the need for providing a more resilient environment with built-in redundancy and disaster-recovery plans.
What standards exist for doing security assessments?
A standard-based approach like the ISO 17799 should be utilized. ISO is the International Organization for Standardization and the 17799 standard is a comprehensive set of controls for information security. The standard contains a set of 39 key control objectives.
ISO 27001 is a closely related standard that provides specifications for the requirements of an information security management system (ISMS). A standard approach to assessing security provides a consistent method to understand the security posture of an organization.
With a full understanding of the risks and exposures an organization faces, a comprehensive security plan can be developed. The plan should include technical solutions as well as aspects such as a disaster-recovery plan and business continuity planning. A standard assessment approach can also help to stay in compliance with government regulations like Sarbanes-Oxley, HIPAA, GLBA and others.
How often should an assessment be done?
Once a strategy for corporate security is implemented, you cannot forget about it and assume assets will continue to be secure. An initial assessment will help prioritize and balance the plan against potential risks and expenditures, but the landscape is constantly changing so a security plan needs to be adaptable to evolve with those changes. Periodic assessments should address changes that might affect the company’s overall security posture.
The best practice is to assess on an annual basis. In some cases, regulatory requirements may mandate annual assessments. In addition to a regular schedule of assessments, significant changes to the environment require assessments to be done.
Security such as disaster recovery and business continuity plans should also be tested on a regular basis. Finding out that a redundant firewall is not working when the primary goes down is not an ideal situation. Procedures need to be tested so in the event of a real emergency, business can be back to normal as quickly as possible.
Change is inevitable with technology, and new vulnerabilities are discovered every day. The goal is to be vigilant about understanding the potential threats, understanding the impact they will have on business and minimizing the effect of these risks.
Should all identified risks be fully mitigated?
They need to be weighed against the potential impact to the business. Before a solution is implemented to mitigate any risk, there needs to be an analysis of the impact. There are acceptable risks. The potential impact of the vulnerability may be outweighed by the gain associated with providing a particular service to clients or end-users. You don’t want to implement a $50,000 solution for a $5,000 problem.
STEVE KORB is the senior security systems engineer with Premier Technologies. Reach him at SKorb@premweb.com.